Creating a Digital Twin of an Insider Threat Detection Enterprise Using Model-Based Systems Engineering

Inference Enterprise Modeling (IEM) is a methodology developed to address test and evaluation limitations that insider threat detection enterprises face due to a lack of ground truth and/or missing data. IEM uses a collection of statistical, data processing, analysis, and machine learning techniques to estimate and forecast the performance of these enterprises. As part of developing the IEM method, models satisfying various detection system evaluation requirements were created. In this work, we extend IEM as a digital twin generation technique by representing modeled processes as executable UML Activity Diagrams and tracing solution processes to problem requirements using ontologies. Using the proposed framework, we can rapidly prototype a digital twin of a detection system that can also be imported and executed in systems engineering simulation software tools such as Cameo Enterprise Architecture Simulation Toolkit. Cyber security and threat detection is a continuous process that requires regular maintenance and testing throughout its lifecycle, but there often exists access issues for sensitive and private data and proprietary detection model details to perform adequate test and evaluation activities in the live production environment. To solve this issue, organizations can use a digital twin technique to create a real-time virtual counterpart of the physical system. We describe a method for creating digital twins of live and/or hypothetical insider threat detection enterprises for the purpose of performing test and evaluation activities on continuous monitoring systems that are sensitive to disruptions. In this work, we use UML Activity Diagrams to leverage the integrated simulation capabilities of Model-Based Systems Engineering (MBSE).